Facebook is blaming Tuesday night's embarrassing defacement of CEO Mark Zuckerberg's Facebook fan page on an API "bug" that allowed unauthorized persons to post not only on his page but those of an undisclosed number of other users.
Facebook claims the problem has been rectified.
And in an apparent coincidence, Facebook yesterday also announced a pair of security enhancements: expanded use of Hypertext Transfer Protocol Secure (HTTPS) and the introduction of "social authentication," which is a captcha-like system that instead of relying on hard-to-read nonsense words utilizes the familiar photographs of a Facebook user's friends. (The latter is not getting rave reviews from Network World readers.)
According to a CNET report:
A Facebook spokesman provided this e-mail statement today: "A bug enabled status postings by unauthorized people on a handful of public pages. The bug has been fixed."
Whoever is responsible only had the ability to post on the page and did not have access to private data on the Facebook account, Joe Sullivan, chief security officer at Facebook, said in a follow-up interview with CNET. "It was a very limited bug in that it only applied to the ability to post," he said.
Specifically, the bug was in an API (application programming interface) that allows publishing functionality on the site, said Ryan McGeehan, security manager for incident response at Facebook.
Graham Cluley, senior technology consultant at security vendor Sophos, sees the Facebook explanation as potentially more troubling than if the unauthorized access had been enabled by simple carelessness.
So, it wasn't a story of a 26-year-old logging in at Starbucks and not realizing that someone could be intercepting the communications. And it wasn't a tale of a junior member of staff choosing a password like "123456789" for their Facebook account, and being given the keys to administer a page with 2.8 millions fans.
Those kinds of mistakes aren't uncommon, of course, and are security issues which you should be mindful of if you are responsible for the protection of computers and online activity inside your own organization.
Instead, it turns out that the true story of the Zuckerberg fan page hack is much worse. Because a vulnerability in the way that Facebook was coded allowed unauthorized parties to post updates to pages, which could have potentially been used for the purposes of phishing, spam and even malicious attack.
On the brighter side, Zuckerberg's Facebook page is functioning once again; it had been disabled yesterday after being defaced. (Although, oddly enough, the most recent update to his wall is dated Dec. 15, when he acknowledged being named TIME's "Person of the Year.")
(Update: Speaking of TIME, one of its bloggers points out a clear risk for Facebook from such headline-grabbing screw-ups: "It's high time Facebook introduced increased security options to protect users, especially if it wants to retain its body of high-profile accounts. It's no secret that the celebrity body has almost officially adopted Twitter as its social network of choice, and with hacks on Selena Gomez, Italy's Silvio Berlusconi and even Zuckerberg himself, obviously, profile hacking is an issue.")
(Update 2: Stan Schroeder at Mashable has more about the enhanced HTTPS support: "HTTPS provides a combination of the HTTP and SSL protocols, enabling encrypted communication between your computer and a web server. Without it you're exposed to sniffing attacks on the network; for example, if you're using a public Wi-Fi to access Facebook via plain HTTP, someone using the Firesheep add-on for Firefox can easily retrieve your data. HTTPS makes it a lot harder to do that. The feature is available as an option on the Account Settings page. If you don't see it yet, don't worry; Facebook will be gradually rolling it out over the next couple of weeks.")